Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19"

Transcription

1 Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19 Andrew Sessions, Abel Sussman Biometrics Consortium Conference

2 Agenda Review of the National Strategy for Trusted Identities in Cyberspace Biometric Capability Facilitates NSTIC Mission Success Gap Analysis for Incorporating Biometrics into NSTIC Sample Use Cases Conclusions 2

3 Review of the National Strategy for Trusted Identities in Cyberspace 3

4 The National Strategy for Trusted Identities in Cyberspace (NSTIC) The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions. NIST NSTIC calls for an Identity Ecosystem, an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities. NSTIC is crafting a trustworthy environment for online transactions through the creation of standards and policies required for interoperable trusted credentials that would dramatically reduce online ID theft and fraud 4

5 Identity Ecosystem Overview The Identity Ecosystem consists of the participants, policies, processes, and technologies required for trusted identification, authentication, and authorization across diverse transaction types Supports transactions ranging from anonymous to fully authenticated 5

6 NSTIC and the Identity Ecosystem The Identity Ecosystem provides: An online environment where individuals and organizations can trust each other Agreed-upon security and privacy standards Common identification, authentication, and authorization processes The Identity Ecosystem will offer, but will not mandate, stronger identification and authentication while at the same time protecting privacy *National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy, April

7 Biometrics and NSTIC The goal of the Identity Ecosystem is to identify and authenticate digital identities on the following levels: Individual: person engaged in an online transaction Organizational: non-person entity that engages in or supports a transaction Device: object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject Biometrics provides the ability to enhance authentication services for individuals Will create an additional layer of assurance Provided during credential creation (enrollment) Used during execution (authentication) 7

8 How Biometrics Assists NSTIC Vision Augments hard credentials and name/password pairs Ability to use same biometric as single sign on rather than a multitude of passwords Supports persons having many different credentials Allows for varying levels of secure transactions such high level credentials incorporating biometrics to enable sensitive transactions Binds identity information with individuals Users themselves become the methods for authentication Enhances privacy Biometrics replace the use of SSN and other PII A safer way to secure transactions Biometrics cannot be stolen Remove/reduce need for in-person or mail activity with government Licenses, entitlements, permits can be accessed securely by use of biometrics Promote non-repudiation Biometric signatures ensure that a tax filing or mortgage was performed by the correct person thus promoting non-repudiation Eventual integration with international community Biometrics widely accepted in a variety of nations 8

9 Biometric Capability Facilitates NSTIC Mission Success 9

10 Strategic Goals as Identified by NSTIC NSTIC Vision: Individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.* NSTIC has identified several goals: Develop a comprehensive Identity Ecosystem Framework Build and implement interoperable identity solutions Enhance confidence and willingness to participate in the Identity Ecosystem Ensure the long-term success and viability of the Identity Ecosystem Each of these goals can be enhanced by the inclusion of biometrics * NSTIC Governance Workshop June 9-10,

11 Goal 1: Develop a Comprehensive Identity Ecosystem Framework NSTIC Objective Biometric Advantage Establish improved privacy protection mechanisms. Biometrics support non-repudiation and allow only certain individuals access to private information. Establish comprehensive identification and authentication standards based on defined risk models. Biometrics have been integrated, by NIST, into defined authentication levels. Define participant responsibilities in the Identity Ecosystem and establish mechanisms to provide accountability. Incorporation of biometrics brings defined user rights and entity responsibilities. Establish a steering group to administer the standards development and accreditation process for the Identity Ecosystem Framework. The national biometrics community has extensive experience in developing standards. 11

12 Goal 2: Build and Implement Interoperable Identity Solutions NSTIC Objective Implement the private-sector elements of the Identity Ecosystem. Biometric Advantage Many private sectors are using biometrics to bind identity information with individuals. Some examples include finance, healthcare, consumer electronics and gaming. Implement the state, local, tribal, and territorial government elements of the Identity Ecosystem. State, local, tribal, and territorial governments have leveraged biometric technology to enhance the first responder community and establish residency. Implement the Federal Government elements of the Identity Ecosystem. The Federal government has used biometrics as a basis to issue secure identity credentials. Promote the deployment of interoperable solutions to implement the Identity Ecosystem Framework. Biometrics have standards established enabling encryption and data sharing which will be crucial to NSTIC s success. 12

13 Goal 3: Enhance Confidence and Willingness to Participate in the Identity Ecosystem NSTIC Objective Biometric Advantage Provide awareness and education to enable informed decisions. Training is a highly recommended industry practice for any application involving biometrics. Identify other means to drive widespread adoption of the Identity Ecosystem. Federal and commercial organizations are familiar with how to make the public aware of biometric systems. 13

14 Goal 4: Ensure the Long-Term Success and Viability of the Identity Ecosystem NSTIC Objective Biometric Advantage Drive innovation through aggressive science and technology (S&T) and research and development (R&D) efforts. Biometrics is a new technology that has undergone rapid growth since 2001, and offers numerous opportunities for science and research. Integrate the Identity Ecosystem internationally. International standards and standards bodies promote the interoperability of biometrics and associated data. 14

15 Gap Analysis for Incorporating Biometrics into NSTIC 15

16 Implementation of NSTIC biometric goals Several enhancements are needed before NSTIC can successfully incorporate biometrics: User Perception Acceptance and trust of biometrics by the public is improving Interoperability Leveraging existing standards development Technical hazards Understanding the vulnerability of biometric templates and other security issues Rules & regulations Specific policies may need to be developed to administer biometric data 16

17 Public Perception of Biometrics Sociological studies have been conducted to better understand the public/user perception of biometric systems Acceptance and trust are among the most important factors to consider when designing a biometric integration for virtually any application, including NSTIC. Social studies have been conducted and show that the public is very trusting and accepting of biometrics The collection of biometric data (along with the collection of any other piece of privately identifiable information [PII]) has not been without controversy America Identified by Lisa Nelson of the University of Pittsburgh, as well as the 2011 National Biometrics Challenge Document details some of the public s perceptions of biometric identification technology in the context of privacy, security, and civil liberties * Image source: boingboing.net 17

18 Public Perception Regarding Self-Identifying Information Average ratings assigned by biometric users and nonusers when asked the question: How safe do you feel each of the following types of information is as a way to protect your personal records from access unauthorized persons?" Scale: 5 Very safe 1 Not at all safe Data from America Identified by Lisa S. Nelson 18

19 Public Perception of Major Biometric Modalities Average ratings assigned by biometric users and nonusers when asked the question: "How safe do you feel each of the following types of biometrics is as a way to protect your personal records from access by unauthorized persons? Scale: 5 Very safe 1 Not at all safe Biometric user (mean) Biometric nonuser (mean) Total (mean) Facial recognition Fingerprints Iris/retinal scans Data from America Identified by Lisa S. Nelson 19

20 Interoperability The use of NSTIC enabled biometrics must be functional across a wide array of electronic devices. It will not be successful if limited to only one usable device This not only includes different operating systems but different hardware, different builds, and different versions User templates must be shared between entities (i.e. corporations, retailers, etc.) Biometric Application Programming Interface (BioAPI) has provided foundations for multiple biometrics applications on multiple systems on the Internet to interwork (telebiometrics) Expanding existing standards will promote needed plug-and-play systems 20

21 Technology Vulnerabilities For remote logical authentication a lack of control in the biometric capture device may have biometrics highly susceptible to spoofing and replay attacks Phishing attacks may target biometrics in addition to other data Other common security issues that users need to be protected against: Hill-climbing: attackers try to build successful biometric through incremental changes in template submission Man-in-the-Middle: attacker makes independent connections with the victims If successfully stolen these powerful identity credentials will enable hyper-identity theft* Need to maintain cryptographic security on templates and transmission Further research into revocable biometrics to determine usefulness in NSTIC enviroment *Source: Aaron Titus, NSTIC s Effects on Privacy 21

22 Rules and Regulations A need for regulation to specify electronic transfer of biometric samples Data security E-transaction Identity Management (IdM) Must conform to NSTIC requirements A need for standards to be developed by the biometrics community Electronic biometric capture best practices Computing power or digital camera specifications File size and transfer limits A need for regulations from Internet Service Providers (ISPs) Data encryption, wireless packets, security A need for law enforcement policies Policies are necessary to determine how law enforcement can be engaged e.g. requesting templates 22

23 Withdrawing There must be guidelines for how to be removed from the program if a user wishes to withdraw after becoming a member All contractual obligations to the program need to be stated Any continual use of user data with shared parties must be disclosed Clear methods for what to do with an account of terminated due to legal matters Currently there is no policy for stored biometric samples and templates when a user is removed 23

24 Sample Use Cases 24

25 NSTIC & Biometrics Use Case Healthcare 1 Develop a comprehensive Identity Ecosystem Framework Establish improved privacy protection mechanisms Current Issues: The medical industry is moving towards electronic medical records that are personal and portable Consumers have concerns for the security and privacy of this data Through biometrics, consumers will be able to authorize the release of their health records to doctors and specialists Use Case: Sam would like to transfer medical records from one provider to another Using a smartphone the records are forwarded Sam s fingerprint is used to authenticate ownership and open records 25

26 NSTIC & Biometrics Use Case Electronic Finance 1 Develop a comprehensive Identity Ecosystem Framework Establish comprehensive identification and authentication standards based on defined risk models Current Issues: Consumers need to keep financial accounts private and secure Financial institutions need to safeguard against fraud and assure non-repudiation Through biometrics, users will have an alternative to account numbers and passwords Use Case: Working from home, Lee wants to trade stocks Using biometrics, Lee can access his account by providing his face for facial recognition along with a fingerprint The financial website uses standard biometric web services to authenticate the samples 26

27 NSTIC & Biometrics Use Case Federal Entitlement 2 Build and implement interoperable identity solutions Implement the Federal Government elements of the Identity Ecosystem Current Issues: Government centers are overloaded with processing routine requests because citizens need to attend by being there in-person Biometrics will relieve the need for in-person requirements Use Case: Pat lives in an area that was declared a Federal Disaster area Since Pat does not have access to high technology, Pat uses the telephone to contact FEMA and request benefits (rather than visit a FEMA location in person) FEMA uses voice recognition biometrics to confirm Pat s identity and provide assistance 27

28 Conclusions 28

29 Conclusions Biometrics has a defined operations area within NSTIC and can provide identity assurance at the highest levels The public-at-large is willing to provide biometrics in exchange for additional security services Concerns about biometric security fall within standard enterprise assurance measures and additional mitigations need to be explored Interoperability is needed between vendors and web services Recommend creating specialized working group within NSTIC community to review gaps and strategize solutions 29

30 Implementing Biometric Credentials Government must move quickly or industry may independently propose competing standards Betamax vs. VHS, Blueray vs. HD DVD There are ways to compete within the identify ecosystem aside from cost Biometric modalities Interoperability Security levels Security level of a credential be measureable 30

31 Contact Abel Sussman Lead Associate Andrew Sessions Associate (o) 703/ (e) (o) 703/ (e) 31

32 Backup Slides 32

33 Authentication Assurance and Biometrics NIST provides technical requirements for implementing Office of Management and Budget memorandum (OMB 04-04)*. Authentication methods for each assurance level are as follows: Level Method Authentication Factor OMB assurance description Level 1 user name / password 1-factor authentication Little or no confidence in the asserted identity s validity Level 2 user name / strong password 1-factor authentication Some confidence in the asserted identity s validity Level 3 Two elements from the following [ user name / strong password, token, biometric] Level 4 All three elements [user name / strong password, token, biometric] 2-factor authentication 3-factor authentication High confidence in the asserted identity s validity Very high confidence in the asserted identity s validity Level 1 Level 2 Level 3 Level 4 No use of biometrics No use of biometrics May use biometrics Must use biometrics * There are other technical factors as part of NIST Authentication criteria 33

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 1. Identity Ecosystem Steering Group Charter The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President

More information

Identity: The Key to the Future of Healthcare

Identity: The Key to the Future of Healthcare Identity: The Key to the Future of Healthcare Chief Medical Officer Anakam Identity Services July 14, 2011 Why is Health Information Technology Critical? Avoids medical errors. Up to 98,000 avoidable hospital

More information

Identity and Access Management Initiatives in the United States Government

Identity and Access Management Initiatives in the United States Government Identity and Access Management Initiatives in the United States Government Executive Office of the President November 2008 Importance of Identity Management within the Federal Government "Trusted Identity"

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

Biometrics in Identity as a Service

Biometrics in Identity as a Service Daon - your trusted Identity Partner Biometrics in Identity as a Service What is BaaS and who is doing it? Catherine Tilton 28 September 2011 The Need As the world becomes more interdependent, as transactions

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER with Convenience and Personal Privacy version 0.2 Aug.18, 2007 WHITE PAPER CONTENT Introduction... 3 Identity verification and multi-factor authentication..... 4 Market adoption... 4 Making biometrics

More information

Opinion and recommendations on challenges raised by biometric developments

Opinion and recommendations on challenges raised by biometric developments Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future

More information

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything

More information

Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013

Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013 Is the Device User the Device Owner? A paper prepared for Biometrics UnPlugged: Mobility Rules Executive Summit - Tampa Monday, September 16, 2013 Rod Beatson President, Transaction Security, Inc. Rod.Beatson@crypto-sign.com

More information

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A. Scope and Agenda

More information

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT Department of Veterans Affairs VA DIRECTIVE 6510 Washington, DC 20420 Transmittal Sheet VA IDENTITY AND ACCESS MANAGEMENT 1. REASON FOR ISSUE: This Directive defines the policy and responsibilities to

More information

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the

More information

Digital identity: Toward more convenient, more secure online authentication

Digital identity: Toward more convenient, more secure online authentication Digital identity: Toward more convenient, more secure online authentication For more than four decades, the familiar username/password method has been the basis for authentication when accessing computer-based

More information

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Audio: This overview module contains an introduction, five lessons, and a conclusion. Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Briefing W. Frisch 1 Outline Digital Identity Management Identity Theft Management

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Multi-Factor Authentication of Online Transactions

Multi-Factor Authentication of Online Transactions Multi-Factor Authentication of Online Transactions Shelli Wobken-Plagge May 7, 2009 Agenda How are economic and fraud trends evolving? What tools are available to secure online transactions? What are best

More information

CREDENTIAL MANAGEMENT

CREDENTIAL MANAGEMENT CREDENTIAL MANAGEMENT Meeting the challenges of cyber and physical security threats is a necessity for the private and public sectors in the 21 st Century. With continually changing threats to security,

More information

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Background On Aug. 27, 2004, the President issued a Homeland Security Presidential

More information

Deciphering the Legal Framework that Governs Online Identity Systems

Deciphering the Legal Framework that Governs Online Identity Systems Deciphering the Legal Framework that Governs Online Identity Systems SESSION ID: LAW-W04A Thomas J. Smedinghoff Partner Edwards Wildman Palmer LLP Chicago, Illinois TSmedinghoff@EdwardsWildman.com @smedinghoff

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft

An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft Executive Summary Bob Pinheiro Robert Pinheiro Consulting LLC nstic@bobpinheiro.com This note proposes that emerging NSTIC-compliant

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview Federal Identity, Credential, and Access Management Trust Framework Solutions Overview Version 1.0 02/07/2014 Questions? Contact the FICAM TFS Program Manager at TFS.EAO@gsa.gov 1 Table of Contents 1.

More information

Business Case for Voltage SecureMail Mobile Edition

Business Case for Voltage SecureMail Mobile Edition WHITE PAPER Business Case for Voltage SecureMail Mobile Edition Introduction Mobile devices such as smartphones and tablets have become mainstream business productivity tools with email playing a central

More information

Managing Trust in e-health with Federated Identity Management

Managing Trust in e-health with Federated Identity Management ehealth Workshop Konolfingen (CH) Dec 4--5, 2007 Managing Trust in e-health with Federated Identity Management Dr. rer. nat. Hellmuth Broda Distinguished Director and CTO, Global Government Strategy, Sun

More information

Application of Biometric Technology Solutions to Enhance Security

Application of Biometric Technology Solutions to Enhance Security Application of Biometric Technology Solutions to Enhance Security Purpose: The purpose of this white paper is to summarize the various applications of fingerprint biometric technology to provide a higher

More information

Security Characteristics of Cryptographic Mobility Solutions

Security Characteristics of Cryptographic Mobility Solutions Security Characteristics of Cryptographic Mobility Solutions Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 sarbari@electrosoft-inc.com http://www.electrosoft-inc.com Agenda What is a Cryptographic

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

How TraitWare TM Can Secure and Simplify the Healthcare Industry

How TraitWare TM Can Secure and Simplify the Healthcare Industry How TraitWare TM Can Secure and Simplify the Healthcare Industry January 2015 Secure and Simplify Your Digital Life. Overview of HIPPA Authentication Standards When Title II of the Health Insurance Portability

More information

Biometrics and Cyber Security

Biometrics and Cyber Security Biometrics and Cyber Security Key Considerations in Protecting Critical Infrastructure Now and In The Future Conor White, Chief Technology Officer, Daon Copyright Daon, 2009 1 Why is Cyber Security Important

More information

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,

More information

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or SBA Procedural Notice TO: All SBA Employees CONTROL NO.: 5000-1323 SUBJECT: Acceptance of Electronic Signatures in the 7(a) and 504 Loan Program EFFECTIVE: 10/21/14 The purpose of this Notice is to inform

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies

More information

The Rise of Identity Proofing Services in the Federal Government

The Rise of Identity Proofing Services in the Federal Government The Rise of Identity Proofing Services in the Federal Government Jamie Danker, Verification Privacy Officer, Office of Privacy, U.S. Citizenship and Immigration Services Naomi Lefkovitz, Senior Privacy

More information

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014

Privacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014 For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014 Point of Contact and Author: D Mekka Thompson DMekka.Thompson@ed.gov System Owner: Greg Robison Greg.Robison@ed.gov Office

More information

State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013

State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013 State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013 Statewide Information Management Manual (SIMM) Section 158A Enterprise Architecture

More information

Online Identity Attribute Exchange 2013-2014 Initiatives

Online Identity Attribute Exchange 2013-2014 Initiatives Online Identity Attribute Exchange 2013-2014 Initiatives Agenda Overview AXN Services Framework Demonstration NSTIC Pilots Summary ABAC Services Attribute Exchange Network Page 2 AXN - Enabling IT & Other

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

Security It s an ecosystem thing

Security It s an ecosystem thing Security It s an ecosystem thing Joseph Alhadeff Vice President Global Public Policy, Chief Privacy Strategist The Security challenge in the before time. Today s Threat Environment

More information

Online Lead Generation: Data Security Best Practices

Online Lead Generation: Data Security Best Practices Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:

More information

Challenges of Integrating Data. Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions

Challenges of Integrating Data. Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions Challenges of Integrating Data Driving Factors A Systems Development Lifecycle Primer Data Security Considerations Integration Approach Questions Page 1 Driving Factors Integration of significant disparate

More information

WHITE PAPER Usher Mobile Identity Platform

WHITE PAPER Usher Mobile Identity Platform WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction

More information

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to

More information

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014 Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Identity, Credential, and Access Management. Open Solutions for Open Government

Identity, Credential, and Access Management. Open Solutions for Open Government Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management www.idmanagement.gov Open Solutions for Open Government Judith Spencer Co-Chair, ICAM

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Navigating Endpoint Encryption Technologies

Navigating Endpoint Encryption Technologies Navigating Endpoint Encryption Technologies Whitepaper November 2010 THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS

More information

Security and Privacy Challenges of Biometric Authentication for Online Transactions

Security and Privacy Challenges of Biometric Authentication for Online Transactions Security and Privacy Challenges of Biometric Authentication for Online Transactions Elaine Newton, PhD NIST Information Technology Laboratory, Computer Security Division elaine.newton@nist.gov 1-301-975-2532

More information

Date: Wednesday March 12, 2014 Time: 10:00 am to 2:45 pm ET Location: Virtual Hearing

Date: Wednesday March 12, 2014 Time: 10:00 am to 2:45 pm ET Location: Virtual Hearing Remarks of Catherine Tilton at the Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) held by the Office of the National Coordinator for Health Information Technology Health

More information

User Authentication Guidance for IT Systems

User Authentication Guidance for IT Systems Information Technology Security Guideline User Authentication Guidance for IT Systems ITSG-31 March 2009 March 2009 This page intentionally left blank March 2009 Foreword The User Authentication Guidance

More information

Digital Identity in Healthcare: What's Coming Down the Pike. Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS

Digital Identity in Healthcare: What's Coming Down the Pike. Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS Digital Identity in Healthcare: What's Coming Down the Pike Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS Discussion What is the Problem? What is Digital Identity and How Does

More information

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE

More information

Moving to Multi-factor Authentication. Kevin Unthank

Moving to Multi-factor Authentication. Kevin Unthank Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that

More information

Intelligent Security Design, Development and Acquisition

Intelligent Security Design, Development and Acquisition PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation Agenda PAGE 2 Introduction Security Challenges Securing the New

More information

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2, This document is scheduled to be published in the Federal Register on 09/05/2013 and available online at http://federalregister.gov/a/2013-21491, and on FDsys.gov Billing Code 3510-13 DEPARTMENT OF COMMERCE

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management Multi-Factor Authentication for your Analytics Implementation Siamak Ziraknejad VP, Product Management 1 Agenda What is Multi-Factor Authentication & Why is it important The Usher Security Badge Badge

More information

Strong Authentication for Secure VPN Access

Strong Authentication for Secure VPN Access Strong Authentication for Secure VPN Access Solving the Challenge of Simple and Secure Remote Access W H I T E P A P E R EXECUTIVE SUMMARY In today s competitive and efficiency-driven climate, organizations

More information

Online Cash Management Security: Beyond the User Login

Online Cash Management Security: Beyond the User Login Online Cash Management Security: Beyond the User Login Sonya Crites, CTP, SunTrust Anita Stevenson-Patterson, CTP, Manheim February 28, 2008 Agenda Industry Trends Government Regulations Payment Fraud

More information

Introduction to Online Identity Management By Thomas J. Smedinghoff 1

Introduction to Online Identity Management By Thomas J. Smedinghoff 1 Introduction to Online Identity Management By Thomas J. Smedinghoff 1 1. Identity Management Basics... 3 (a) Identification... 4 (1) Scope and Accuracy... 5 (2) Issuance of Credential... 6 (b) Authentication...

More information

Online/Cloud Services Trust challenges & eidentity-aspects

Online/Cloud Services Trust challenges & eidentity-aspects Online/Cloud Services Trust challenges & eidentity-aspects Erik R. van Zuuren, Director Deloitte AERS Belgium Global Forum Brussels Nov 07/08, 2011 Member of Deloitte Touche Tohmatsu Agenda Weather Forecast

More information

VASCO: Compliant Digital Identity Protection for Healthcare

VASCO: Compliant Digital Identity Protection for Healthcare VASCO: Compliant Digital Identity Protection for Healthcare Compliant Digital Identity Protection for Healthcare The proliferation of digital patient information and a surge in government regulations are

More information

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT Office of Employee Benefits Administrative Manual PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT 150 EFFECTIVE DATE: AUGUST 1, 2009 REVISION DATE: PURPOSE: Ensure that the Office of Employee Benefits

More information

Can We Reconstruct How Identity is Managed on the Internet?

Can We Reconstruct How Identity is Managed on the Internet? Can We Reconstruct How Identity is Managed on the Internet? Merritt Maxim February 29, 2012 Session ID: STAR 202 Session Classification: Intermediate Session abstract Session Learning Objectives: Understand

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

W3C Speaker Identification and Verification Workshop

W3C Speaker Identification and Verification Workshop W3C Speaker Identification and Verification Workshop Speaker Verification in a Multi-Vendor Environment Mr Ross Summerfield (with support from Dr Ted Dunstone and Dr Clive Summerfield) What is Centrelink?

More information

Derived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials

Derived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Daon your trusted Identity Partner Derived Credentials A Use Case Cathy Tilton Daon 1 February 2012 Derived credentials NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Derived credential

More information

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions

More information

THE WHITE HOUSE Office of the Press Secretary

THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly

More information

Module 1: Facilitated e-learning

Module 1: Facilitated e-learning Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy 2015 Michigan NASCIO Award Nomination Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy Sponsor: David Behen, DTMB Director and Chief Information Officer Program Manager: Rod Davenport,

More information

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management An information exchange For Information Security and Privacy Advisory Board Deb Gallagher

More information

Levels of Assurance In Electronic Identity

Levels of Assurance In Electronic Identity Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University March 2009 1 About This Presentation Based on what we think we re going to have to do Discussion

More information

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates Creating Trust Online TM Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates January 2007 Setting the stage Banking and doing business

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

General HIPAA Implementation FAQ

General HIPAA Implementation FAQ General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,

More information

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved. Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.

More information

ATTACHMENT 1 GUIDANCE ON THE USE OF THE SSN BY THE DEPARTMENT OF DEFENSE

ATTACHMENT 1 GUIDANCE ON THE USE OF THE SSN BY THE DEPARTMENT OF DEFENSE ATTACHMENT 1 GUIDANCE ON THE USE OF THE SSN BY THE DEPARTMENT OF DEFENSE 1. OVERVIEW a. The SSN has been used as a means to efficiently identify and authenticate individuals. Expanded use of the SSN has

More information

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201. PERSONAL IDENTITY VERIFICATION (PIV) OVERVIEW INTRODUCTION (1) Welcome to the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) Overview module, designed to familiarize

More information

Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University Information Security Standard Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,

More information

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Joint White Paper: Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Submitted Date: April 10, 2013 Submitted

More information

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT Name of System/Application: LAN/WAN PRIVACY IMPACT ASSESSMENT U. S. Small Business Administration LAN/WAN FY 2011 Program Office: Office of the Chief Information Officer A. CONTACT INFORMATION 1) Who is

More information

Introduction to The Privacy Act

Introduction to The Privacy Act Introduction to The Privacy Act Defense Privacy and Civil Liberties Office dpclo.defense.gov 1 Introduction The Privacy Act (5 U.S.C. 552a, as amended) can generally be characterized as an omnibus Code

More information

Secure communications via IdentaDefense

Secure communications via IdentaDefense Secure communications via IdentaDefense How vulnerable is sensitive data? Communication is the least secure area of digital information. The many benefits of sending information electronically in a digital

More information

Strong Authentication. Securing Identities and Enabling Business

Strong Authentication. Securing Identities and Enabling Business Strong Authentication Securing Identities and Enabling Business Contents Contents...2 Abstract...3 Passwords Are Not Enough!...3 It s All About Strong Authentication...4 Strong Authentication Solutions

More information

Fundamentals of Network Security - Theory and Practice-

Fundamentals of Network Security - Theory and Practice- Fundamentals of Network Security - Theory and Practice- Program: Day 1... 1 1. General Security Concepts... 1 2. Identifying Potential Risks... 1 Day 2... 2 3. Infrastructure and Connectivity... 2 4. Monitoring

More information

Cloud-Based Identity Services

Cloud-Based Identity Services Cloud-Based Identity Services TrustX Technologies, Inc. 11325 Random Hills Rd., Suite 650 Fairfax, VA 22030 TrustX Identity Services Affordable Identity Assurance TrustX is a cloud-based implementation

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information